Cisco ASA 5510 with Postini
I just started working here about 6 months ago and this organization has their backbone router (150.50.1.1, cisco 2610) with a default gateway setting of 0.0.0.0 0.0.0.0 150.50.1.89. Where .89 is the inside interface of a Sun Microsystems Cobalt Qube3. This device has an External Interface of 74.xxx.xxx.130 and it has a default gateway setting of 74.xxx.xxx.129 where .129 is the address of our Bellsouth managed router that our T1 Line is on.
They bought a Cisco ASA 5510 before I got here and all they've been using it for is a VPN endpoint so i'm trying to get all the traffic going out through the ASA instead of the Qube so we can decomission it. I have internet access working. I switched the default gateway of 150.50.1.1 (the backbone router) to 0.0.0.0 0.0.0.0 150.50.1.29 where 29 is the internal interface of the ASA. I then configured the ASA with an outside interface address of 74.xxx.xxx.149 and made it's default gateway 0.0.0.0 0.0.0.0 74.xxx.xxx.129.
So now i have all my traffic going out through the ASA no problem. I made the switch last night, tested it, and everything looked good. Came in this morning and my users are telling me hey we aren't getting any emails from external sources. So I login to Postini and sure enough the Delivery Manager is set to deliver to 74.xxx.xxx.130 (the outside address of the old Qube.) Ok, so I Change this address to 74.xxx.xxx.149 (the outside address of the ASA.)
Well that didn't fix it, as Postini is reporting that it cannot connect to 74.xxx.xxx.149.
FYI the ip addy of our exchange server is 150.50.1.37 and Postini's Network range is 64.18.0.0 255.255.240.0.
So I go into the ASA config and add:
access-list [outside interface name]_access in extended permit tcp 64.18.0.0 255.255.240.0 host 74.xxx.xxx.149 eq smtp
access-group [outside interface name]_access_in in interface [outside interface name]
access-list [inside interface name]_access_out extended permit tcp host 150.50.1.37 64.18.0.0 255.255.240.0 eq smtp
access-list [inside interface name]_access_out extended deny tcp any any eq smtp
access-list [inside interface name]_access_out extended permit ip any any
access-group [inside interface name]_access_out in interface inside
No dice, Postini's Web interface Still reports that it cannot connect to 74.xxx.xxx.149.
I can run a traceroute from postini's web interface to 74.xxx.xxx.149 and it gets there successfully so obviously the ASA is letting ICMP packets in.
The funny thing is If i send an email OUT from inside to my gmail I get it just fine, but when I try to reply back IN I never get the email, but I never get a bounceback in my gmail box of ANY KIND.
What am I doing wrong here?
They bought a Cisco ASA 5510 before I got here and all they've been using it for is a VPN endpoint so i'm trying to get all the traffic going out through the ASA instead of the Qube so we can decomission it. I have internet access working. I switched the default gateway of 150.50.1.1 (the backbone router) to 0.0.0.0 0.0.0.0 150.50.1.29 where 29 is the internal interface of the ASA. I then configured the ASA with an outside interface address of 74.xxx.xxx.149 and made it's default gateway 0.0.0.0 0.0.0.0 74.xxx.xxx.129.
So now i have all my traffic going out through the ASA no problem. I made the switch last night, tested it, and everything looked good. Came in this morning and my users are telling me hey we aren't getting any emails from external sources. So I login to Postini and sure enough the Delivery Manager is set to deliver to 74.xxx.xxx.130 (the outside address of the old Qube.) Ok, so I Change this address to 74.xxx.xxx.149 (the outside address of the ASA.)
Well that didn't fix it, as Postini is reporting that it cannot connect to 74.xxx.xxx.149.
FYI the ip addy of our exchange server is 150.50.1.37 and Postini's Network range is 64.18.0.0 255.255.240.0.
So I go into the ASA config and add:
access-list [outside interface name]_access in extended permit tcp 64.18.0.0 255.255.240.0 host 74.xxx.xxx.149 eq smtp
access-group [outside interface name]_access_in in interface [outside interface name]
access-list [inside interface name]_access_out extended permit tcp host 150.50.1.37 64.18.0.0 255.255.240.0 eq smtp
access-list [inside interface name]_access_out extended deny tcp any any eq smtp
access-list [inside interface name]_access_out extended permit ip any any
access-group [inside interface name]_access_out in interface inside
No dice, Postini's Web interface Still reports that it cannot connect to 74.xxx.xxx.149.
I can run a traceroute from postini's web interface to 74.xxx.xxx.149 and it gets there successfully so obviously the ASA is letting ICMP packets in.
The funny thing is If i send an email OUT from inside to my gmail I get it just fine, but when I try to reply back IN I never get the email, but I never get a bounceback in my gmail box of ANY KIND.
What am I doing wrong here?
IIRC, Postini needs a connection into the mail server to forward in the mail.
What I do not see in your post is a static translation or a port forward command sending information INTO your email server's IP address. Right now, POSTINI is configured to use your ASA's ip, and there is no email server answering there....
Without looking at the entire firewall config, it looks like you are only missing the STATIC command.
If you have a block of IP's available, then you can do a 1 to 1 static map
STATIC (inside,outside) <outside ip> <inside ip> netmask <inside ip mask>
If you have only the 1 IP on the interface available, then you need to forward the port to the internal box using:
STATIC (inside,outside) tcp 74.xxx.xxx.149 <port #> <inside ip> <port #> netmask <inside mask>
You can add as many port forwards as you need (I forget exactly what postini needs).
The Access-lists would allow inbound SMTP on the outside ip address you assign to the static.
Hope that helps, post back if you need clarification.
What I do not see in your post is a static translation or a port forward command sending information INTO your email server's IP address. Right now, POSTINI is configured to use your ASA's ip, and there is no email server answering there....
Without looking at the entire firewall config, it looks like you are only missing the STATIC command.
If you have a block of IP's available, then you can do a 1 to 1 static map
STATIC (inside,outside) <outside ip> <inside ip> netmask <inside ip mask>
If you have only the 1 IP on the interface available, then you need to forward the port to the internal box using:
STATIC (inside,outside) tcp 74.xxx.xxx.149 <port #> <inside ip> <port #> netmask <inside mask>
You can add as many port forwards as you need (I forget exactly what postini needs).
The Access-lists would allow inbound SMTP on the outside ip address you assign to the static.
Hope that helps, post back if you need clarification.
ASKER
Alright I added the Static Nat, but the Postini Web interface still says that it can't even connect to 74.xxx.xxx.149.
Enclosed Is a picture of the graph from the Postini web interface, you'll notice what happens to the connection as soon as i switch it from .130 to .149.
Graph.jpg
Enclosed Is a picture of the graph from the Postini web interface, you'll notice what happens to the connection as soon as i switch it from .130 to .149.
Graph.jpg
odd - it should have worked.. did you "clear xlate" ?
You could set up a capture too make sure you can see the packets arriving at the firewall outside interface
example
access-list capture permit tcp 64.18.0.0 255.255.240.0 host 74.xxx.xxx.149 eq smtp
capture SMTP access-list capture interface outside
sh capture SMTP
You could set up a capture too make sure you can see the packets arriving at the firewall outside interface
example
access-list capture permit tcp 64.18.0.0 255.255.240.0 host 74.xxx.xxx.149 eq smtp
capture SMTP access-list capture interface outside
sh capture SMTP
ASKER
As soon as i change the default gateway in 150.50.1.1 back to 0.0.0.0 0.0.0.0 150.50.1.89 and change the postini delivery address back to 74.xxx.xxx.130 (yeah i know you can see the IP's on the graph i'm dumb) everything starts working properly again.
I have to be missing something here but i'm not sure what it is.
Would it help for me to post my ASA config?
I have to be missing something here but i'm not sure what it is.
Would it help for me to post my ASA config?
Yeah post it - it should help.
What STATIC command did you opt for? The port forward on .149 or the Static 1 to 1 on some other address?
In either case, to test, you should be able to telnet to port 25 on the ip you opted for from a host on the outside. If you get a response, then the firewall is configured correctly and we can double check the postini requirements. Also, for testing, you should consider disabling the FIXUP SMTP.
In either case, to test, you should be able to telnet to port 25 on the ip you opted for from a host on the outside. If you get a response, then the firewall is configured correctly and we can double check the postini requirements. Also, for testing, you should consider disabling the FIXUP SMTP.
ASKER
Ok here are the results when i run a packet trace on the
access-list [outside interface name]_access in extended permit tcp 64.18.0.0 255.255.240.0 host 74.xxx.xxx.149 eq smtp rule in the ASDM software
Interface Outside
Source IP 64.18.0.1
Source Port 1065
Dest IP 74.253.1.49
Dest Port 25
Type - NAT
Subtype - rpf-check
Action - DROP
Config
nat (Inside_INF) 0 access-list Inside_INF_nat0_outbound
nat (Inside_INF) 20 150.50.1.0 255.255.255.0
match ip Inside_INF 150.50.1.0 255.255.255.0 DMZ any
dynamic translation to pool 20 (74.253.1.149 [Interface PAT])
translate_hits = 42537, untranslate_hits = 1972
Result - Packet is dropped
Input Int - Outside - up up
output int - inside - up up
info - (acl-drop) flow is denied by configured rule.
access-list [outside interface name]_access in extended permit tcp 64.18.0.0 255.255.240.0 host 74.xxx.xxx.149 eq smtp rule in the ASDM software
Interface Outside
Source IP 64.18.0.1
Source Port 1065
Dest IP 74.253.1.49
Dest Port 25
Type - NAT
Subtype - rpf-check
Action - DROP
Config
nat (Inside_INF) 0 access-list Inside_INF_nat0_outbound
nat (Inside_INF) 20 150.50.1.0 255.255.255.0
match ip Inside_INF 150.50.1.0 255.255.255.0 DMZ any
dynamic translation to pool 20 (74.253.1.149 [Interface PAT])
translate_hits = 42537, untranslate_hits = 1972
Result - Packet is dropped
Input Int - Outside - up up
output int - inside - up up
info - (acl-drop) flow is denied by configured rule.
Your destination IP in the test was
Dest IP 74.253.1.49
Dest Port 25
In the examples you have 74.xxx.xxx.149.
It doesn't match up.
Dest IP 74.253.1.49
Dest Port 25
In the examples you have 74.xxx.xxx.149.
It doesn't match up.
ASKER
Ok I am attaching the ASA config.
Few things to keep in mind and what i've tried so far.
We have several sites connected with frame relay.
150.50.1.0 network
150.50.2.0 network
150.50.3.0 network
150.50.4.0 network
150.50.5.0 network
150.50.10.0 network
150.50.11.0 network
and 150.50.12.0 network
Now If i REMOVE the dynamic NAT entry on the inside interface the packet trace from my previous post works like a charm! But the kicker is i lose internet access at ALL my remote sites besides the main admin complex (150.50.1.0 network) If i put the dynamic rule back in i get my internet access back at all remote sites but then the packet trace for postini fails.
ASA.txt
Few things to keep in mind and what i've tried so far.
We have several sites connected with frame relay.
150.50.1.0 network
150.50.2.0 network
150.50.3.0 network
150.50.4.0 network
150.50.5.0 network
150.50.10.0 network
150.50.11.0 network
and 150.50.12.0 network
Now If i REMOVE the dynamic NAT entry on the inside interface the packet trace from my previous post works like a charm! But the kicker is i lose internet access at ALL my remote sites besides the main admin complex (150.50.1.0 network) If i put the dynamic rule back in i get my internet access back at all remote sites but then the packet trace for postini fails.
ASA.txt
ASKER
Mike Kane - I saw that and fixed it and reran the packet trace and still got the same results, that was a typo on my part when i was entering the config info but it didn't fix the problem.
ASKER
There is something about the dynamic nat rule that i have on the inside interface that is causing the packet drops. I just can't figure out why.
I do not see any STATICs to send traffic inside the network.
To have traffic move from a lower security interface (the DMZ) to the higher security interface (the Inside) you need a STATIC map.
You will need to add:
STATIC (inside,outside) tcp interface 25 150.50.1.33 25 netmask 255.255.255.255
then you need to allow the traffic with an access list, you already have this:
access-list DMZ_access_in extended permit tcp interface DMZ eq smtp host 150.50.1.33 eq smtp
Then test it. You should have port 25 open to the outside world on your interface IP redirected into the mail server now.
To have traffic move from a lower security interface (the DMZ) to the higher security interface (the Inside) you need a STATIC map.
You will need to add:
STATIC (inside,outside) tcp interface 25 150.50.1.33 25 netmask 255.255.255.255
then you need to allow the traffic with an access list, you already have this:
access-list DMZ_access_in extended permit tcp interface DMZ eq smtp host 150.50.1.33 eq smtp
Then test it. You should have port 25 open to the outside world on your interface IP redirected into the mail server now.
ASKER
Now i get this on packet trace from 64.18.0.1 ----> 150.50.1.149
Type -
NAT
Subtype -
rpf-check
Action -
DROP
Show rule in NAT Rules table.
Config
static (Inside_INF,DMZ) tcp interface smtp 150.50.1.149 smtp netmask 255.255.255.255
match tcp Inside_INF host 150.50.1.149 eq 25 DMZ any
static translation to 74.253.1.149/25
translate_hits = 0, untranslate_hits = 0
(acl-drop) flow is denied by configured rule
Type -
NAT
Subtype -
rpf-check
Action -
DROP
Show rule in NAT Rules table.
Config
static (Inside_INF,DMZ) tcp interface smtp 150.50.1.149 smtp netmask 255.255.255.255
match tcp Inside_INF host 150.50.1.149 eq 25 DMZ any
static translation to 74.253.1.149/25
translate_hits = 0, untranslate_hits = 0
(acl-drop) flow is denied by configured rule
ASKER
and if i run a trace from 150.50.1.149 (inside asa int) to 150.50.1.37 (exchange)
i get
Type -
NAT
Action -
DROP
Show rule in NAT Rules table.
Config
nat (Inside_INF) 0 access-list Inside_INF_nat0_outbound
nat (Inside_INF) 20 0.0.0.0 0.0.0.0 dns
match ip Inside_INF any Inside_INF any
dynamic translation to pool 20 (No matching global)
translate_hits = 2, untranslate_hits = 0
i get
Type -
NAT
Action -
DROP
Show rule in NAT Rules table.
Config
nat (Inside_INF) 0 access-list Inside_INF_nat0_outbound
nat (Inside_INF) 20 0.0.0.0 0.0.0.0 dns
match ip Inside_INF any Inside_INF any
dynamic translation to pool 20 (No matching global)
translate_hits = 2, untranslate_hits = 0
ASKER
Alright at this point i have any any traffice allowed on inside and outside interfaces incoming and outgoing. The thing is wide open, so this has got to be a nating issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
andrew is correct, I gave you a static goin inside to outside, habit I suppose. Yours in in the DMZ.
try adding
conf t
static (inside,outside) tcp 74.xxx.xxx.149 25 150.50.1.37 25 netmask 255.255.255.255
clear xlate